Vulnerabilities > Librehealth > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-06-08 CVE-2022-31497 Cross-site Scripting vulnerability in Librehealth EHR 2.0.0
LibreHealth EHR Base 2.0.0 allows interface/main/finder/finder_navigation.php patient XSS.
4.3
2022-06-07 CVE-2022-31495 Cross-site Scripting vulnerability in Librehealth EHR 2.0.0
LibreHealth EHR Base 2.0.0 allows gacl/admin/acl_admin.php return_page XSS.
4.3
2022-06-06 CVE-2022-31494 Cross-site Scripting vulnerability in Librehealth EHR 2.0.0
LibreHealth EHR Base 2.0.0 allows gacl/admin/acl_admin.php action XSS.
4.3
2022-06-06 CVE-2022-31498 Cross-site Scripting vulnerability in Librehealth EHR 2.0.0
LibreHealth EHR Base 2.0.0 allows interface/orders/patient_match_dialog.php key XSS.
4.3
2022-06-06 CVE-2022-31492 Cross-site Scripting vulnerability in Librehealth EHR 2.0.0
Cross Site scripting (XSS) vulnerability inLibreHealth EHR Base 2.0.0 via interface/usergroup/usergroup_admin_add.php Username.
4.3
2022-06-06 CVE-2022-31493 Cross-site Scripting vulnerability in Librehealth EHR 2.0.0
LibreHealth EHR Base 2.0.0 allows gacl/admin/acl_admin.php acl_id XSS.
4.3
2022-05-05 CVE-2022-29938 SQL Injection vulnerability in Librehealth EHR 2.0.0
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameter payment_id in interface\billing\new_payment.php via interface\billing\payment_master.inc.php leads to SQL injection.
network
low complexity
librehealth CWE-89
6.5
2020-09-01 CVE-2020-23829 Unrestricted Upload of File with Dangerous Type vulnerability in Librehealth EHR 2.0.0
interface/new/new_comprehensive_save.php in LibreHealth EHR 2.0.0 suffers from an authenticated file upload vulnerability, allowing remote attackers to achieve remote code execution (RCE) on the hosting webserver by uploading a maliciously crafted image.
network
low complexity
librehealth CWE-434
6.5
2020-07-15 CVE-2020-11438 Cross-Site Request Forgery (CSRF) vulnerability in Librehealth EHR 2.0.0
LibreHealth EMR v2.0.0 is affected by systemic CSRF.
6.8
2020-07-15 CVE-2020-11437 SQL Injection vulnerability in Librehealth EHR 2.0.0
LibreHealth EMR v2.0.0 is affected by SQL injection allowing low-privilege authenticated users to enumerate the database.
network
low complexity
librehealth CWE-89
4.0